Mac Malware Detection

broken image


The Malwarebytes detection ranked as the second-highest of 2019 is a Mac adware family known as NewTab, clocking in at around 4 percent of our overall detections across all platforms. NewTab is adware that uses browser extensions to modify the content of web pages. How to Detect and Remove Malware from Your Mac By Alexander Fox / Dec 5, 2017 Updated Aug 31, 2019 / Mac Thanks to a smaller market share, Macs are not as susceptible to malware infections as their Windows counterparts.

Think your Mac is infected? How to detect and remove viruses and malware on Mac computers

Many Mac computer users believe that Apple computers are perfectly protected from any type of malicious software or virus code. This situation might have been true for some considerable time, however, the prevalence of malware has increased with the growing popularity of Apple products. On the other hand, mobile devices such as iPhone, iPad, and iPod touch remain relatively safe, since most malicious software and viruses are developed to infect the macOS operating system. Despite this, some of these infections transfer from Macs to iOS devices when they are connected via a USB cable.

As compared to the Windows operating system, the Mac operating system includes an increasingly effective protection system. System updates are delivered with a new version of a database including the list of known malware and viruses. This allows computers to search and block these infections automatically. In the past, Mac computers remained virus free for long periods because malicious software developers predominantly targeted Windows computers. Today, however, Mac computers might be affected by many of the viruses now present on the internet. Built-in protection tools now automatically deal with threats, and often it is more difficult to notice if your Mac system is infected, whether performance is reduced, etc. In this article, we describe common cases of computer infections, how the system behaves in response to them, and how to diagnose existing threats.

Table of Contents:

It is recommended to run a free scan with Malwarebytes - a tool to detect malware and fix computer errors. You will need to purchase the full version to remove infections and eliminate computer errors. Free trial available.

What is the difference between a virus and malware?

First, we will clarify the definitions of malware and a virus. Malicious software (malware) usually behaves like various applications and often appear to do little when opened. In fact, these applications add extra applications that might display pop-up ads, and change the home page and default search engine settings. These infections are mostly used to display advertisements, however, they sometimes also track browsing history, most used queries, etc. Viruses are small portions of computer code designed to go unnoticed, however, they often reduce Mac performance. Checking the activity monitor will enable you to see the kernel task consuming extensive computer resources due to the prevalence of a virus, since it is designed to protect the Mac from overheating.

Most common signs of an infected computer

There are many symptoms of Mac infection, but these might vary with the type software installed on your computer. Here we describe the most common scenarios to alert you of the need to check for malicious software.

  • Computer performance has noticeably decreased. It becomes sluggish and the activity monitor displays various mysterious process running in the background, consuming Mac resources.
  • You notice a new toolbar on the web browser, that you have not intentionally installed. In most cases, these toolbars encourage you to shop or search faster by typing a search query directly into toolbar.
  • Casual Internet browsing loads unexpected results, or redirects to irrelevant websites. Search queries appears within an unfamiliar search engine.
  • Websites that you open displays many advertisements, including those that should be ad-free (for example Wikipedia).
  • Your favorite websites (that you normally visit daily) do not load, or you are randomly redirected to advertising webpages.
  • Advertising windows continually pop up on the desktop and you cannot find any association with websites that you browse or programs you run.

If you have noticed any of these symptoms, do not panic - performance is often reduced for a number reasons, and it may not be the result of a virus or malware on the system. Additionally, some developers attach ads to their software with intention of introducing you their other products. Nevertheless, it is always safer to scan your computer for possible threats. Bear in mind, however, that if you simply enter a query describing your problem and download the result, it might be malware or a fake application.

Most common methods of computer infection

Knowing how malware and viruses infect your computer will help you to diagnose or prevent possible threats. The methods vary with the type of threat, however, there are a number of common ways that unwanted software can infiltrate your computer. Check the list below to ensure that the threats have not infiltrated your Mac.

Malicious software

As mentioned above, malware and malicious software are merely synonyms for a type threat that is introduced as 'free' (or sometimes paid) software that supposedly cleans or protects your computer from viruses. In the most frequent cases, this software appears when the search query contains keywords about fast, easy and free viruses removal. To avoid these threats from malicious software, check independent reviews of applications or ask for personal recommendations from other users. These threats are spread by downloads, emails, or even instant messages.

Fake files

Malicious software and viruses are frequently hidden within common files, such as images and Word or PDF documents. Many computer users are aware of the dangers of opening executable files such as .dmg on Mac computers and .exe on Windows, but few believe that simple image or document files might also contain threats. The best precaution is to open files from trusted or known sources only, and avoid opening data that appears on your desktop randomly or together with installation of untrusted software.

Fake updates or system tools

Another popular and confusing method used to spread malware is through various pop-up dialog boxes. These encourage you to upgrade your software and apply additional tools to access the content. The Adobe Flash Player browser plug-in is a popular way hide threats within its installation files. We strongly recommend that you add and update this plug-in through their official website only.

Randomly contacted by 'technical help'

Occasionally there are cases whereby users receive calls from people claiming to be Apple or Microsoft 'technicians'. They often state that your computer is likely to be infected and you should follow some steps to clean it. Following their guidance will add malicious software to your system.

Built-in protection tools

Together with system updates, Apple includes tools that work in the background to protect users from malware and viruses. You are advised to check how they are invoked and what actions they perform.

File Quarantine or Gatekeeper

Most Mac users are familiar with this tool, but not all are aware of how it is invoked and what function it actually performs. When attempting to open an application you have downloaded or installed from external storage, you will see a warning message that displays information about the source from which it was downloaded. You must manually choose to open the file, unless the application is downloaded from Mac App Store, since these apps are acquired from a trusted Apple source. If you are trying to launch an application that was not digitally signed by the developer (a condition enforced by Apple), the File Quarantine/Gatekeeper tool will block the access to this particular application.

Xprotect

This tool contains a slightly more aggressive prevention policy against files that are recognised as possible malware or virus infections. When trying to open files for the first time after download, this tool checks the entire package and compares it with the database of known malware or viruses. If it finds any matches, you will see a message stating that files are infected or damaged and the only option offered is to move the file to trash. The Xprotect tool works very successfully and is one of the main reasons why infected Mac computers are rare. This tool might sometimes block older versions of legitimate software, such as Java or Flash plug-in, since it was proven that these plug-ins are vulnerable to malware attacks.

Use Combo Cleaner to clear your Mac

Combo cleaner contains two virus scan engines. The first checks for Mac-based malware infections, while the second searches for PC generic security threats. This software scans the Mac and also checks web browsers for potentially unwanted plug-ins and infected emails. Although infected emails do not directly cause system problems, this option prevents possible threats spread via email messages. First, visit the Combo Cleaner developers website, and get the software. Then, launch it and select Antivirus in the left side panel. Choose Quick Scan, Full Scan, or Custom Scan. Quick Scan is the best option when you suspect that you might have threats on your computer but do not have time to perform a full scan. Full Scan will scan all files stored within the Mac hard disk. This option might take some time, depending on the amount of files your storage area contains. A Custom Scan might be the best option when you wish to check specific files or folders.

Recommended actions when Mac is infected

Following the steps below, you can decrease the risk of problems that may be caused by malicious software. Also, you will be able to eliminate threats to the Mac.

Avoid entering passwords

If you suspect that your computer might be infected by a virus or malware, do not enter any passwords or login details, due to the possibility of a hidden keylogger running in the background. This software is commonly deployed with malware and viruses. Bear in mind, that some of these infections record periodical screenshots, so you should avoid of revealing any passwords when copying and pasting from a document or clicking the Show password option.

Stay offline

Another good precaution is to disconnect from Internet. Turn off the Wi-Fi and/or unplug the Ethernet cable from your computer, until you are sure the computer is safe. This will protect your private data from any third parties, since most data that malware collected is sent to the servers, where developers are able to access it.

Activity Monitor

If the information above helped you to consider recent files you have downloaded or installed to your computer, try to remember their name. If the application is running, turn it off by using the keyboard shortcut of Command and Q or simply click the Quit button in the top left corner of the window. Further, open Activity Monitor by using Spotlight or going to Applications and then the Utilities folder through Finder. Once Activity Monitor is launched, locate the search field at the top right corner of the window and type the name of the malicious software. Often, you will find that the application is still running in the background, even though you have closed it recently. Select the running app and click the X icon at the top left of the toolbar and click Force quit. Most malware developers are aware of this situation, and thus deliver random, unused names, to make it difficult to find the particular process in this way.

Shut down and restore

If it is possible, turn off your computer and enter Recovery Mode by holding down the Command and R keys while pressing the power button - hold down these keys until you see Apple logo. Restore your Mac from a recent backup, such as Time Machine or another application. Bear in mind, that you should select the backup created prior to the point at which you believe the Mac was infected. When the restore process finishes and your computer is rebooting, ensure that external storage is not connected to the Mac (if it previously had contact with the infected device). Also be vigilant and do not open fake applications, emails, or files that contain threats. The best option is to connect external storage to a Windows computer running antivirus software (although the infection is based on a Mac operating system, these programs should be able to detect and remove it).

Protect credit card details

If you think your computer was infected with one of the methods listed above, delete the files immediately. If, however, you have made any transfers or purchases from your credit card, especially for software that appeared to be fake, contact your credit card company or bank immediately and explain the situation to ensure that your credentials are not used elsewhere. You might receive refunds for bogus money transfers.

Clear junk files

To ensure you have eliminated the infection completely, also clear all the junk files. Clear the Internet browser cache manually. Open Safari and click on Safari in the menu bar at top of your screen, then select Clear History. In the new pop-up window, select All history from the drop-down list, and finally click Clear History. Next, delete the entire download folder. Open this folder through Finder, select all files within and drag to Trash, or right-click and select Move to Trash. https://download-ka.mystrikingly.com/blog/microsoft-windows-ntfs. Finally, open Trash and select the Empty the Trash option.

Change passwords

A final option is to secure all logins. Once you are sure the computer is completely clear of infections, change all passwords, including those of websites, cloud services, applications, etc. You are advised to contact your credit card company or bank to notify them of the current situation - they might then heighten attention for attempts to access your account in future.

Reinstall macOS

If you have endured many unsuccessful attempts to clean the Mac, there is another option that will work in most cases: consider a complete reinstallation of the Mac operating system. Detailed instructions are in this guide.

Video Showing how to clear Mac from viruses and malware

In our recent post, How Malware Persists on macOS, we discussed the ways that threat actors can ensure that, once they've breached a macOS device, their malicious code will survive a logout or device restart. But persistence is only one element of the kill chain, and some threat actors are known to shun persistence in favor of either one-time infections or a reusable vulnerability to remain stealthy. Then there's the possibility of malware achieving its objectives and cleaning up after itself, effectively aiming to leave without a trace. Clearly, just looking for persistence items isn't sufficient for threat hunting, so in this post we'll take a deeper dive into how you can hunt for threats on a macOS device.

Gathering Information about the Mac

How you go about hunting down malware on a macOS endpoint depends a great deal on what access you have to the device and what kind of software is currently running on it. Of course, if you have a SentinelOne-protected Mac, for example, you can do a lot of your hunting right there in the management console or by using the remote shell capability, but for the purposes of this post, we're going to take an unprotected device and see how we can detect any hidden malware on it. The principles remain the same if you have a protected device, and understanding what and where to look will help you use any threat hunting software you may already have more effectively.

The other thing to consider is whether you have access to the device directly, or only via a command line, or only via logs. For the purposes of this exercise, we're going to assume that you have access to the command line and to any logs that can be pulled from it.

Step 1: Get a List of Users

The first thing you need to know is what user accounts exist on the Mac. There's a couple of different ways of doing that, but the most effective is look at the output from dscl, which can show up user accounts that might be hidden from display in the System Preferences app and the login screen.

A command like

$ dscl . list /Users UniqueID

will show you a lot more than just listing the contents of the /Users folder with something like ls, which won't show you hidden users or those whose home folder is located elsewhere, so be sure to use dscl to get a complete picture.

A downside of the dscl list command is that it will flood you with perhaps a 100 or more accounts, most of which are used by the system rather than used by console (i.e., login) users. We can narrow the list down by filtering out all the system accounts by ignoring those that begin with an underscore:

$ dscl . list /Users UniqueID | grep -v ^_


However, there's nothing to stop a malicious actor from creating an account name that begins with an underscore, too:

So you should both check through the full list and supplement the user search with other info about user activity. A great command to use here is w, which tells you every user that is logged in and what they are currently doing.

Here we see that user _mrmalicious, which wouldn't have appeared if we filtered the dscl list by grepping out underscores, is using bash.

While the w utility is a great way to check out who is currently active, it won't show up a user that has been and gone, so let's supplement our hunt for users with the last command, which indicates previous logins.

$ last

Here's a partial output, which suggests our user briefly logged in and then shutdown the system.

Step 2: Check for Persistence

We've already covered this in a previous post, so please head there first and check out some of the obvious and not-so obvious ways we describe that bad actors can use to persist across sessions on a Mac.

Remember also that when looking for LaunchAgents and other processes, you have to consider all users on the Mac, including the root user, which if present should be found at /var/root.

Here's one piece of Mac malware that likes to run from there. A system-level LaunchDaemon that runs on every boot for all users calls a python script hidden inside an invisible folder in the root user's Library folder.

We also need to consider persistence methods that take advantage of open ports and an internet connection, so we'll start looking into those next.

Step 3: Check Open Ports and Connections

Malware authors interested in backdoors will often try to set up a server on an unused port to listen out for connections. A good example of this is the recent Zoom vulnerability, which forced the company to push out an emergency patch in an attempt to address a zero-day vulnerability for Mac users. Zoom have been running a hidden server on port 19421 that could potentially expose a live webcam feed to an attacker and allow remote code execution. This is a good example of just how easy it is for one privileged process to set up a persistent server that could act as a backdoor to easily evade detection by ordinary users, as well as macOS's built-in security mechanisms.

To detect this kind of issue, we can use netstat and lsof to help check for this.

First, we use

$ netstat -na | egrep 'LISTEN|ESTABLISH'

to list services that are either listening for connections or already connected.

We can see that there are servers listening in on ports 22, 88, and 445. These indicate that the Mac's Sharing preferences are enabled for remote login and remote file sharing. A full list of ports used by Apple's services can be found here.

Next, let's use

$ lsof -i

to list all files with an open IPv4, IPv6 or HP-UX X25 connection.

This output gives us quite a bit of useful information, including the IP address, command and PID. We can query the ps utility for more information on each process.

$ ps -p

Step 4: Investigate Running Processes

The ps command has a lot of useful options and is one of a number of tools you can use to see what's running on a Mac at the time of collection.

One of the first things I'll do is get a full list of all processes by running this as the superuser

$ ps -axo user,pid,ppid,%cpu,%mem,start,time,command

I will normally dump that out to a text file and pay particular interest to commands where the PPID, the parent process identifier, is something other than 1, indicating a user process that's also spawning child processes.

Whatsapp per macbook. I also like to dump the output from

$ lsappinfo list

Best Free Mac Malware Protection

as that gives a lot of useful information about applications including the executable path, pid, bundle identifier (useful for detection purposes) and launch time.

You should also examine running daemons, agents and XPC services through the launchctl utility. I find the older, deprecated (but still functional) syntax somewhat easier to parse than the newer syntax, but that may be just my preference from habit, so experiment with either.

Malware

In the old syntax, you can simply run

$ launchtl list

to get a lot of useful information on what's running in that particular user's domain. The same command prepended with sudo will produce a list of services running in the system-wide domain.

Deb official site. For the newer syntax, use something like

Protection

In the old syntax, you can simply run

$ launchtl list

to get a lot of useful information on what's running in that particular user's domain. The same command prepended with sudo will produce a list of services running in the system-wide domain.

Deb official site. For the newer syntax, use something like

$ launchctl print user/501

Replacing ‘501' for the UID of any user you're interested in. Use

$ launchctl print system

to target the system-wide domain.

The output between the old and the new syntax is quite different, and which you find more useful may depend on what kind of information you want. I often use the old syntax and grep out anything with a com.apple label so that I can focus on (mostly) non-system processes. However, some macOS malware does deliberately use the name 'apple'� in their labels precisely in an attempt to hide in the weeds, so if you do follow that suggestion be sure that you're parsing items with 'apple' labels somewhere else, too (e.g., such as from the data you received from examining the Launch folders or from using the ps utility).

Step 5: Investigate Open Files

Earlier we used lsof with the -i option to list open ports, but we can also list all open files by just running lsof without any flags at all. That produces quite a mountain of information and you'll want to quickly narrow it down to make it manageable.

If the system is running with System Integrity Protection turned on (tip: you can determine that with the command csrutil status), I will normally parse the output of lsof in something like BBEdit and remove all lines that contain references to the System folder. Bear in mind that doing so could cause you to miss something – not all System folders are protected by SIP, but in the early stages of an investigation I will leave that kind of possibility for later in the event that I don't find any other IOCs (Indicators of Compromise).

For similar reasons, I'll tend to focus first on open files that don't belong to regular apps. Again, keep in mind the caveat that malware authors can sometimes use regular apps to live off the land, exploit browser zero days or sneak in via supply chain attacks, so be judicious in what you filter out and remember to go back over anything you skimmed or ignored later on if necessary.

Step 6: Examine the File System

If I haven't found any suspicious processes at this point, that could well be because the malware has already finished its execution, so next it's time to start making an initial investigation into the file system. At this point, we're just trying to establish that a threat exists, rather than do a deep forensic dive on the entire system (we'll cover that in a future post), so let's look at some of the resources you can quickly access and parse to look for evidence of malicious behaviour.

A word of warning, though, before we start. If you're dealing with a macOS system from 10.14 Mojave onwards, you may find command line investigations hampered by macOS's recent user protections. In order to avoid those, ensure that Terminal has been added to the Full Disk Access panel in the Privacy pane.

Creativemarket fashion editorial lightroom presets download free. I tend to start by making an initial audit of files in certain locations that are often populated by malware. These include hidden files and folders in the User's home folder, unusual folders added to the /Library and ~/Library folders, and the Application Support folders within all of those (remember there's a separate Library folder for every user as well as the one at the computer domain level).

You can get those for the current user and the computer domain with a one-liner:

$ ls -al ~/.* ~/Library /Library ~/Library/Application Support /Library/Application Support/

You'll need to drop down to sudo and iterate over users with a bash script if there's more than one user account on the Mac.

Next, check the /Users/Shared folder, and the temp directories at /private/tmp and the user's Temporary Directory (these are not the same), which you can get to using the $TMPDIR environment variable.

$ ls -al /Users/Shared
$ ls -al /private/tmp
$ ls -al $TMPDIR

Also, don't forget that you should already have a list of items present in the Launch folders and any Cron jobs from your investigation into persistence mechanisms. More often than not the program arguments of these will have already led you to other locations of interest.

In the majority of cases, if a Mac has been infected the above steps will have turned up something and directed my searches further, but if not, there's still a few other things to look for. If the time since the suspected infection is still relatively recent (within a few days or less), you may try a find search to look for any files created since or between a certain time or date. For example, this will find any files modified in the current working directory in the last 30 minutes. You can substitute the m for h to specify hours, or leave off a specifier and it will default to days.

$ find . -mtime +0m -a -mtime -30m -print

Depending on how much regular activity there has been on the device since then, and how long the timespan you search for, that could result in an overwhelming amount of data or just enough to be manageable, so adjust your search parameters to suit.

We can also query the LSQuarantine database to see what items have been downloaded by email clients and browsers.

$ sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'select LSQuarantineEventIdentifier, LSQuarantineAgentName, LSQuarantineAgentBundleIdentifier, LSQuarantineDataURLString, LSQuarantineSenderName, LSQuarantineSenderAddress, LSQuarantineOriginURLString, LSQuarantineTypeNumber, date(LSQuarantineTimeStamp + 978307200, 'unixepoch') as downloadedDate from LSQuarantineEvent order by LSQuarantineTimeStamp' | sort | grep '|' --color

Again, you could get a lot of data to sift through here, but filter on the dates to find recent items. The good side of LSQuarantine is it will give you the exact URL from where the file was downloaded, and you can use this to check against reputation on VT or other sources. The downside of LSQuarantine is that the database is easily purged by normal actions the user (or malicious actor) can take in the UI, so not finding something there doesn't rule out that a file didn't actually come through the quarantine process.

Another useful trick here is to see what turns up just by doing an mdfind query on the quarantine bit:

$ mdfind com.apple.quarantine

Mac Malware Detection And Removal

That should find documents – which are also tagged with the quarantine bit – that have been downloaded, including malicious pdf, Word .docx and others. Again, there'll be a lot of innocent� stuff in the results, so careful filtering will be required.

Step 7: Examine the Mac's Network Configuration

Malware authors on macOS have in some cases manipulated the DNS and AutoProxy network configurations, so it's always worth checking on these settings. You can get all these from the command line, so first let's get the details of the network interface configuration with this command:

$ ifconfig

That will output information regarding the wireless, ethernet, bluetooth and other interfaces. You'll also want to gather the SystemConfiguration property list to look out for malware that tries to hijack the Mac's DNS server settings, as OSX.MaMi was seen to do in 2018.

Mac Malware Detection

$ plutil -p /Library/Preferences/SystemConfiguration/preferences.plist

Free Mac Malware Detection And Removal

Use this command

$ scutil --proxy

to inspect the Mac's auto proxy settings. Spyware like OnionSpy has been seen to configure these settings to redirect user traffic to a server of the attacker's choosing.

Dive Into macOS's Hidden Databases

Depending on what access and authorization you have, it's also possible to dive a lot deeper and recover very fine-detailed information about file system events, user's browsing and email history, application usage, connected devices and more. In a future post on macOS Digital Forensics and Incident Response, we'll cover things like Apple's built-in system_profiler and sysdiagnose utilities, unified logging, fsevents and a plethora of sqlite caches that hold almost every detail you could ever wish to know. In the majority of cases, the steps outlined above will be sufficient to find evidence of even the most stealthy of macOS malware, but digging down into the hidden depths of macOS may provide you with more evidence that can help in detection, remediation, and attribution.

Conclusion

If you are interested in learning how to hunt malware infections on macOS, whether it's cryptominers, adware, backdoors or nation state actors, the steps outlined above should give you a good start on where to look and what to look for. Don't forget also to review our post on macOS persistence mechanisms as these are often the easiest indicators to detect, and if you're interested in reversing macOS malware, check out our series on how to do that safely, too. And before you go, don't forget to follow the blog and we'll let you know when our next post is out.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security





broken image